mirror of
https://github.com/roddhjav/apparmor.d.git
synced 2025-01-18 00:48:10 +01:00
feat(profile): general update.
This commit is contained in:
Alexandre Pujol
parent
ef1776b8d5
commit
6a81d335f8
10 changed files with 19 additions and 45 deletions
|
|
@ -12,22 +12,16 @@
|
|||
include <abstractions/consoles>
|
||||
include <abstractions/dbus-session>
|
||||
include <abstractions/deny-sensitive-home>
|
||||
include <abstractions/desktop>
|
||||
include <abstractions/devices-usb>
|
||||
include <abstractions/disks-read>
|
||||
include <abstractions/dri-common>
|
||||
include <abstractions/dri-enumerate>
|
||||
include <abstractions/gnome-strict>
|
||||
include <abstractions/graphics>
|
||||
include <abstractions/gstreamer>
|
||||
include <abstractions/mesa>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/opencl-intel>
|
||||
include <abstractions/opencl-mesa>
|
||||
include <abstractions/opencl-nvidia>
|
||||
include <abstractions/openssl>
|
||||
include <abstractions/p11-kit>
|
||||
include <abstractions/ssl_certs>
|
||||
include <abstractions/video>
|
||||
include <abstractions/vulkan>
|
||||
|
||||
/usr/** r,
|
||||
|
||||
|
|
|
|||
|
|
@ -16,20 +16,15 @@
|
|||
|
||||
include <abstractions/audio>
|
||||
include <abstractions/dconf-write>
|
||||
include <abstractions/desktop>
|
||||
include <abstractions/devices-usb>
|
||||
include <abstractions/fontconfig-cache-read>
|
||||
include <abstractions/fonts>
|
||||
include <abstractions/freedesktop.org>
|
||||
include <abstractions/gtk>
|
||||
include <abstractions/mesa>
|
||||
include <abstractions/graphics-full>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/opencl>
|
||||
include <abstractions/ssl_certs>
|
||||
include <abstractions/thumbnails-cache-read>
|
||||
include <abstractions/user-download-strict>
|
||||
include <abstractions/user-read>
|
||||
include <abstractions/vulkan>
|
||||
include <abstractions/wayland>
|
||||
|
||||
# userns,
|
||||
|
||||
|
|
@ -97,7 +92,6 @@
|
|||
/usr/share/chromium/extensions/{,**} r,
|
||||
/usr/share/egl/{,**} r,
|
||||
/usr/share/hwdata/pnp.ids r,
|
||||
/usr/share/libdrm/*.ids r,
|
||||
/usr/share/mozilla/extensions/{,**} r,
|
||||
/usr/share/qt{5,}/translations/*.qm r,
|
||||
/usr/share/webext/{,**} r,
|
||||
|
|
@ -105,7 +99,6 @@
|
|||
/etc/@{name}/{,**} r,
|
||||
/etc/fstab r,
|
||||
/etc/igfx_user_feature{,_next}.txt w,
|
||||
/etc/libva.conf r,
|
||||
/etc/opensc.conf r,
|
||||
|
||||
/var/lib/dbus/machine-id r,
|
||||
|
|
@ -119,10 +112,7 @@
|
|||
owner @{HOME}/.pki/nssdb/{cert9,key4}.db rwk,
|
||||
owner @{HOME}/.pki/nssdb/{cert9,key4}.db-journal rw,
|
||||
|
||||
owner @{user_cache_dirs}/ rw,
|
||||
owner @{user_config_dirs}/ r,
|
||||
owner @{user_config_dirs}/gtk-3.0/servers r,
|
||||
owner @{user_share_dirs}/ r,
|
||||
owner @{user_share_dirs}/.@{domain}.* rw,
|
||||
|
||||
owner @{config_dirs}/ rw,
|
||||
|
|
@ -182,20 +172,16 @@
|
|||
|
||||
@{sys}/bus/ r,
|
||||
@{sys}/bus/**/devices/ r,
|
||||
@{sys}/class/ r,
|
||||
@{sys}/class/**/ r,
|
||||
@{sys}/devices/**/uevent r,
|
||||
@{sys}/devices/@{pci}/{in_intensity_sampling_frequency,in_intensity_scale,in_illuminance_raw} r,
|
||||
@{sys}/devices/@{pci}/boot_vga r,
|
||||
@{sys}/devices/@{pci}/{resource,irq} r,
|
||||
@{sys}/devices/@{pci}/report_descriptor r,
|
||||
@{sys}/devices/system/cpu/cpufreq/policy@{int}/cpuinfo_max_freq r,
|
||||
@{sys}/devices/system/cpu/kernel_max r,
|
||||
@{sys}/devices/system/cpu/present r,
|
||||
@{sys}/devices/virtual/**/report_descriptor r,
|
||||
@{sys}/devices/virtual/dmi/id/product_name r,
|
||||
@{sys}/devices/virtual/dmi/id/sys_vendor r,
|
||||
@{sys}/devices/virtual/tty/tty[0-9]/active r,
|
||||
@{sys}/devices/virtual/tty/tty@{int}/active r,
|
||||
|
||||
/dev/ r,
|
||||
/dev/hidraw@{int} rw,
|
||||
|
|
|
|||
|
|
@ -27,7 +27,7 @@
|
|||
#owner /tmp/orcexec.* mrw,
|
||||
#owner @{HOME}/orcexec.* mrw,
|
||||
|
||||
@{run}/udev/data/+drm:card[0-9]-* r, # For screen outputs
|
||||
@{run}/udev/data/+drm:card@{int}-* r, # For screen outputs
|
||||
@{run}/udev/data/+usb:* r, # For /dev/bus/usb/**
|
||||
|
||||
@{run}/udev/data/c81:@{int} r, # For video4linux
|
||||
|
|
|
|||
|
|
@ -5,7 +5,6 @@
|
|||
|
||||
abi <abi/3.0>,
|
||||
|
||||
# new user; change to 'c'
|
||||
owner @{HOME}/@{XDG_DESKTOP_DIR}/ w,
|
||||
owner @{HOME}/@{XDG_DOWNLOAD_DIR}/ w,
|
||||
|
||||
|
|
|
|||
|
|
@ -16,20 +16,14 @@ profile default @{exec_path} flags=(attach_disconnected,mediate_deleted) {
|
|||
include <abstractions/consoles>
|
||||
include <abstractions/dbus-session>
|
||||
include <abstractions/dconf-write>
|
||||
include <abstractions/desktop>
|
||||
include <abstractions/devices-usb>
|
||||
include <abstractions/dri-common>
|
||||
include <abstractions/dri-enumerate>
|
||||
include <abstractions/gnome-strict>
|
||||
include <abstractions/mesa>
|
||||
include <abstractions/graphics>
|
||||
include <abstractions/nameservice-strict>
|
||||
include <abstractions/opencl-intel>
|
||||
include <abstractions/opencl-mesa>
|
||||
include <abstractions/opencl-nvidia>
|
||||
include <abstractions/openssl>
|
||||
include <abstractions/p11-kit>
|
||||
include <abstractions/ssl_certs>
|
||||
include <abstractions/video>
|
||||
include <abstractions/vulkan>
|
||||
include <abstractions/zsh>
|
||||
|
||||
capability dac_override,
|
||||
|
|
|
|||
|
|
@ -9,6 +9,7 @@ include <tunables/global>
|
|||
@{exec_path} = @{bin}/xdg-user-dirs-update
|
||||
profile xdg-user-dirs-update @{exec_path} {
|
||||
include <abstractions/base>
|
||||
include <abstractions/xdg-desktop>
|
||||
|
||||
@{exec_path} mr,
|
||||
|
||||
|
|
@ -39,7 +40,6 @@ profile xdg-user-dirs-update @{exec_path} {
|
|||
/var/lib/sddm/@{XDG_TEMPLATES_DIR}/ rw,
|
||||
/var/lib/sddm/@{XDG_VIDEOS_DIR}/ rw,
|
||||
|
||||
# new user; change to 'c'
|
||||
owner @{HOME}/@{XDG_DESKTOP_DIR}/ w,
|
||||
owner @{HOME}/@{XDG_DOCUMENTS_DIR}/ w,
|
||||
owner @{HOME}/@{XDG_DOWNLOAD_DIR}/ w,
|
||||
|
|
@ -48,7 +48,6 @@ profile xdg-user-dirs-update @{exec_path} {
|
|||
owner @{HOME}/@{XDG_PUBLICSHARE_DIR}/ w,
|
||||
owner @{HOME}/@{XDG_TEMPLATES_DIR}/ w,
|
||||
owner @{HOME}/@{XDG_VIDEOS_DIR}/ w,
|
||||
owner @{user_config_dirs}/ w,
|
||||
|
||||
owner @{user_config_dirs}/user-dirs.dirs rw,
|
||||
owner @{user_config_dirs}/user-dirs.dirs@{rand6} rw,
|
||||
|
|
|
|||
|
|
@ -7,7 +7,7 @@ abi <abi/3.0>,
|
|||
include <tunables/global>
|
||||
|
||||
@{exec_path} = @{bin}/gnome-music
|
||||
profile gnome-music @{exec_path} {
|
||||
profile gnome-music @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/audio>
|
||||
include <abstractions/dconf-write>
|
||||
|
|
@ -48,6 +48,7 @@ profile gnome-music @{exec_path} {
|
|||
@{run}/systemd/inhibit/[0-9]*.ref rw,
|
||||
|
||||
owner /tmp/grilo-plugin-cache-[0-9A-Z]*/ rw,
|
||||
owner /var/tmp/etilqs_@{hex} rw,
|
||||
|
||||
@{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r,
|
||||
owner @{PROC}/@{pid}/cmdline r,
|
||||
|
|
|
|||
|
|
@ -12,6 +12,7 @@ profile nautilus @{exec_path} flags=(attach_disconnected) {
|
|||
include <abstractions/bus-accessibility>
|
||||
include <abstractions/bus-session>
|
||||
include <abstractions/bus-system>
|
||||
include <abstractions/bus/com.canonical.Unity.LauncherEntry>
|
||||
include <abstractions/bus/org.a11y>
|
||||
include <abstractions/bus/org.freedesktop.hostname1>
|
||||
include <abstractions/bus/org.freedesktop.portal.Desktop>
|
||||
|
|
@ -69,11 +70,6 @@ profile nautilus @{exec_path} flags=(attach_disconnected) {
|
|||
member=Print
|
||||
peer=(name=:*, label=nautilus),
|
||||
|
||||
dbus send bus=session path=/com/canonical/unity/launcherentry/@{int}
|
||||
interface=com.canonical.Unity.LauncherEntry
|
||||
member=Update
|
||||
peer=(name=org.freedesktop.DBus, label=gnome-shell),
|
||||
|
||||
dbus send bus=session path=/org/freedesktop/DBus
|
||||
interface=org.freedesktop.DBus
|
||||
member=ListActivatableNames
|
||||
|
|
|
|||
|
|
@ -22,9 +22,9 @@ profile netplan.script @{exec_path} flags=(attach_disconnected) {
|
|||
|
||||
/etc/netplan/{,*} r,
|
||||
|
||||
@{run}/NetworkManager/conf.d/10-globally-managed-devices.conf{,.@{rand6}} w,
|
||||
@{run}/NetworkManager/conf.d/10-globally-managed-devices.conf{,.@{rand6}} rw,
|
||||
@{run}/NetworkManager/system-connections/ r,
|
||||
@{run}/NetworkManager/system-connections/netplan-*.nmconnection{,.@{rand6}} w,
|
||||
@{run}/NetworkManager/system-connections/netplan-*.nmconnection{,.@{rand6}} rw,
|
||||
@{run}/systemd/system/ r,
|
||||
@{run}/systemd/system/netplan-* rw,
|
||||
@{run}/systemd/system/systemd-networkd.service.wants/ r,
|
||||
|
|
@ -51,8 +51,12 @@ profile netplan.script @{exec_path} flags=(attach_disconnected) {
|
|||
include <abstractions/base>
|
||||
include <abstractions/systemd-common>
|
||||
|
||||
capability net_admin,
|
||||
|
||||
@{bin}/systemctl mr,
|
||||
|
||||
owner @{run}/systemd/private rw,
|
||||
|
||||
include if exists <local/netplan.script_systemctl>
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -10,6 +10,7 @@ include <tunables/global>
|
|||
profile irqbalance @{exec_path} flags=(attach_disconnected) {
|
||||
include <abstractions/base>
|
||||
|
||||
capability net_admin,
|
||||
capability setpcap,
|
||||
|
||||
network netlink raw,
|
||||
|
|
|
|||
Loading…
Reference in a new issue